Posted
by
Soulskill
on Tuesday December 25, 2012 @06:32PM
from the stop-drop-and-roll-doesn't-work dept.

badger.foo writes "When you're hit with a DDOS, what do you do? In his most recent column, Peter Hansteen narrates a recent incident that involved a DNS based DDOS against his infrastructure and that of some old friends of his. He ends up asking: should we actively publish or 'name and shame' DDOS participants (or at least their IP addresses)? How about scans that may or may not be preparations for DDOSes to come?"

Someone steals your car every night and drives it around, you're not aware of the problem, however someone sees people driving your car and throwing shit at people and lets the police know. The police then pass on the information to you saying "Why is your car out there throwing shit at people at night?"

It is up to you to make sure that your car is properly locked and secured at night, so people can't steal it and take it for joyrides.

Note the responses of the ISP's and name and shame the ISP's that do not take action.
IP addresses from bad ISP's should end up on a "botnet-friendly ip list" so we can start blocking the traffic from these isp's.

On a DoS or DDoS (special case of DoS) that's fine. On a reflective DDoS (RDDoS, a special case of both DDoS and DoS) you have a different situation. A denial of service (DoS) is any interruption of service, e.g., by flooding the server with SYN packets. A distributed denial of service (DDoS) is when the attack comes from multiple different places at once, e.g., a single connection may not be enough to take down a server with high bandwidth; However if you coordinate the attack across many different connections then the overall traffic can eclipse even a high bandwidth server. With a DDoS the machines coordinating the attack may or may not belong to the attackers, but it's a good idea to contact the ISPs so that the IP holders can be notified that their systems may be infected with a bot-net -- Although, this may not be the case, as I'll explain later. In a reflective distributed denial of service (RDDoS), the apparent IP addresses may belong to machines that were under the control of any malicious software. Reporting these IPs would be pointless.

When a server receives the first SYN (synchronize) packet of a TCP connection handshake, it replies with a SYN-ACK (acknowledgement & synchronization) to the source IP of the originating packet. Then a ACK is sent to the server to acknowledge the server's synchronization. This verifies both endpoints aren't spoofed. A RDDoS takes advantage of the fact that:
0. The source IP address of the initial SYN packet can be spoofed (the "From" field can be bogus).
1. The server sends a SYN-ACK before the connection endpoints have been verified.
2. The TCP protocol allows several (five) retries of the SYN-ACK packet.

In a RDDoS, a single malicious computer can spoof the "From" IP of a TCP connection, and spray it around to servers on the net. The bogus return IP address is that of the victim system. Thus, legitimate servers will flood the victim's connection with five SYN-ACK packets for each single packet the attacker sends. Thus the victim never has the attacker's IP address. To combat this servers may pro-actively detect an IP that sends too many incomplete TCP connection requests, and block it. However, the attacker can have many IP addresses at their control (see: botnet) limited to just a few packets per hour sent to an entire Internet of servers. None of these infected machines will be revealing their IP addresses when they perform the reflective attack by spoofing the source IPs of their packets. What we need is for ISPs to block packets originating from their network that that don't have correct return IP addresses... Not all ISPs do this.

Now what if the attacker only has a single machine at their control and they perform an RDDoS? Why, the traffic pattern is identical to a DDoS -- Ah, I can hear your gears turning already: Can't the return IP addresses can be checked to see if they're residential IPs, and thus victims of a botnet infection? Yes, but how do you differentiate the non-residential IPs between infected servers and non infected servers? Just assume that the non-residential IPs aren't intentionally malicious? Yes, indeed, which is why RDDoS is a popular form of network DoS.

I reiterate: What we need is for ISPs to block packets originating from their network that that don't have correct return IP addresses; Thus, spoofed packets are dropped at the source. You'd think with deep packet inspection now available this shallow packet inspection would be broadly adopted -- Ah, but this is electrons spent that don't directly benefit profits. IPsec [wikipedia.org] was once a requirement of IPv6 adoption, and would defeat endpoint spoofing, however IPSec has been made optional for IPv6, so we can expect the RDDoS attacks to continue for quite some time.